Is there an easy way to generate GPG (PGP) key pair in Azure and store in Azure Key Vault?
Is there an easy way to generate GPG (PGP) key pair in Azure and store in Azure Key Vault?
@JamesTran-MSFT : Could you please help me to provide command for converting base64 to .asc file. i was using below command but its generating in correct one.
[System.Text.Encoding]::UTF8.GetString(([System.Convert]::FromBase64String($privatekey)|?{$_}))|Out-File suseek_privatekey.asc
@GuptaRajesh-0548
Thank you for your post and I apologize for the delayed response!
I'm not too familiar with PGP keys, but I did find some information on this which I'll share below.
PGP KEY process:
1. Use PGP key tool to create PGP key pair with passphrase
2. Export from PGP key tool, the PGP public Key and PGP Private Key as text files (.asc)
3. Use Powershell to BASE 64 files: PGP public key, PGP Private Key, and PassPhrase
4. Import BASE 64 files in to Azure Key Vault Secrets via Azure Portal or Powershell
If this is the current process you're referring to when creating PGP keys and storing them in the Azure Key Vault, the Key type (.asc) currently isn't supported by the Key Vault. For more info. If this isn't the process you're using, can share some documentation or examples so I can gain a better understanding of your issue.
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
I went to my Azure Key Vault in the Azure portal; In the Settings section on the left, I chose Keys; I clicked the + Generate/Import button to "Create a key" - No options for using a passphrase?! No option for Comments?
Yes, when generating OpenSSH keys (RSA 2048) from BASH with ssh-keygen, there is the option to create a "passphrase" - This is very much desired.
I'm hoping Microsoft adds this capability, in addition to "comments", "fingerprint",
and also to Save Public Key to a file that you can share with a partner organization.
I don't see anything in the documentation about handling these aspect of a secrets in Azure Key Vault, or generating them.
I'm a little surprised. I don't think I'm the only one...
If you were brought to this thread, please login and vote this comment up - It lets Microsoft know that this is important to its customers!
@JamesTran-MSFT thanks for the info, this is helpful.
To be more specific, I am looking at way to generate and secure the private portion of GPG key in such a way that it remains securely within Azure Key Vault during the entire life cycle of the key. Maybe this could be a future enhancement to consider.
@ScottStauffer-FC I agree with the enhancements you proposed. These capabilities will make Azure Key Vault truly enterprise ready.
Hello @GuptaRajesh-0548
I discovered that there IS a way to do this.
I might do a quick YouTube video on this, BUT, for now...
You can click on the Cloud Shell button in the top banner row of the Azure Key Vault (or anywhere in the Azure Portal for that matter!)
The Cloud Shell icon looks like the PowerShell Icon.
The Cloud Shell allows you to run both BASH and PowerShell Commands. If it is your first time using the Cloud Shell, it may ask you to create some storage for the purposes of creating files in.
1/3
Within the BASH Shell, you can execute this command:
ssh-keygen -t rsa -b 2048 -m PEM -f "FileNameThatIsUsedForYourKeyPair.pem" -C "This Comment Shows up in the Fingerprint" -P "This is an optional Passphrase that adds an additional layer of security for
And it will return the following results:
my SSH RSA Key"
Generating public/private rsa key pair.
Your identification has been saved in FileNameThatIsUsedForYourKeyPair.pem
Your public key has been saved in FileNameThatIsUsedForYourKeyPair.pem.pub
The key fingerprint is:
SHA256:w+8fKoa8wLDIEAYiWF6ShaOR8TYI8H0NX0VBdvRQao4 This Comment Shows up in the Fingerprint
The key's randomart image is:
+---[RSA 2048]----+
|X+o+o . .+*o+..|
|O=++ + . . . + |
|o+*.. . o o .|
|oo . . . + |
|. . S E . |
|o. + o |
|... o. . . . |
| .o o. . . |
| .o .o.. |
+----[SHA256]-----+
2/3
The -m PEM is what generates the Private key in a format that Azure Key Vault will allow you to import.
AKV will only allow files with .pem extensions and the follow the legacy PEM format as opposed to the NEW PEM format... apparently...
I needed RSA 2048 for my purposes.
It was also suggested that I use a Passphrase.
If you import the Private Key file into Azure (the .pem and not the .pub) and you used a Passphrase, then you will be asked to provide the "Password" in order to import the Key, or do ANYTHING with the Key for that matter (Yes, Password in Azure refers to the Passphrase).
It does not appear that the Azure UI will allow you to initially create a key with a Passphrase, and I guess this makes sense... as you are not able to remove this key from AKV once you put it there. You can take a backup, which allows you to restore it to Azure only, I suspect...
Hope this helps.
3/3
Thanks @ScottStauffer-FC for the detailed info. I will give it a try, this looks reasonable from a usage perspective.
10 people are following this question.
Will Microsoft see my keys in Azure Key Vault?
What are the different ways to authenticate to Azure Key Vault?
What are Azure Key Vault's soft-delete and purge protection features?
What is the limit of number of key vaults per subscription?
What is the difference between a key and a secret in Azure Key Vault?